Introduction to Reverse engineering the firmware

I am really interested in reverse engineering and I have read a very interesting paper which I decided to share with you. 

What is Firmware?

Firmware is a specific kind of low-level  software which controls the hardware and it can function as an operating system in embedded systems. Any malicious attacks on the firmware can lead to firmware modification which is very critical. 

In this post, we will review how to reverse eng a firmware. we will get familiar with tools which are used in reverse eng firmware. 

In this picture you can see all steps to reverse a firmware.

Binary analysis:

In general, for analyzing a binary file of a firmware, we should compare this file with similar versions of the firmware and then detect the filesystem.


In this part, we should determine and recognize the target processor, functions, strings and etc. 

Derivation of validation method:

For updating and uploading firmware, there should be a secure mechanism to validate the validation of the firmware. In this part, we should extract the validation method. In order to do this task, there are some mechanism such as block boxing, disassembly analysis and hardware debugging which will be discussed later.

Before everything, it is essential to introduce some tools which can be useful in analyzing binary of firmware.

For analyzing binary, we can use HXD binary file editor, for comparing two binary file of firmwares Visual Binary diff and for recognizing the filesystem we can use Binwalk. 

For dissembling ,a potent tool, IDA Pro is used.

For brute forcing the validation method, CRC RevEngTool can be used.

For hardware debugging of Arm architecture ARM Development studio 5 debugging software can be used. 

Detecting vulnerabilities in the firmware:

First of all, we should analyze our binary file with HXD. First step is to recognize if the file is packed or not. If it is packed, it should be unpacked with the corresponding unpacking algorithm.

Next step is comparison between the targeted binary file and other versions. This step is very essential. In this step, we want to identify static and dynamic sections. By comparing various versions we can identify  static and dynamic sections. dynamic sections are portions of the file which will be modified in different versions, so we should identify these sections because they are used in validation method.

Then by searching for some signatures we can identify the type of the file systems such as cramfs and squashfs. After that, by using IDA Pro, we can identify the methods and functions.


In this paper, the authors aims at uploading a modified firmware without any restrictions. 


Fimware modification

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.